Security- & Operational briefing
With a high volume traffic of sensitive personal data Vergic needs to have a ’state of the art’ security architecture. Trusted by governmental institutions and some of the biggest e-commerce companies in the world we are regularly audited by external security teams to meet the requirements.
Below is a Q&A on the most urging security and operations questions. Please contact us if you require more information about Vergic Engage security.
What type of service models do Vergic support?
- SaaS Public (Public Multi-Tenant Cloud)
- SaaS Private – Private Cloud (Customer has its own Tenant)
- On-premise installation
For SaaS – what SLA levels Vergic you provide?
Vergic can provide both standard and custom SLA agreements, Standard SLA with access to support 8-17 CET and 8-17 CT is included in the standard license package. SLA can be extended in different ways for example:
- Dedicated support team/contacts
- Extended support hours
- Prioritized change/service requests
For SaaS – where are your servers located (e.g. geo-location) and how is the traffic distributed?
Vergic global data center is located in Karlstad, Sweden. Complementary Amazon AWS data centres are used for so called Vergic regional extenders in certain geographic locations to remove latency issues.
Is the solution PCI/DSS compliant?
- Vergic is PCI compliant
Co-worker authentication – can the solution support multi-factor authentication?
- Vergic support SAML2 authentication, customers can run their own IDP servers with multi-factor authentication
- Vergic standard IDP does not require multi factor authentication
Co-worker authentication – possibility to connect to internal CDS/LDAP?
- Yes, as long as SAML2 is supported
Possible to restrict access to systems by IP whitelisting?
- Yes, available for SAAS through Vergic provided dedicated SAAS IDP server
- through SAML2 SSO setup
How is the communication between client (customer) and agent (co-worker) secured?
- All traffic is SSL/HTTPS
How is the solution safe guarding against malicious usage?
- Vergic is used by a number of large government institutions where sensitive personal data is being exchanged through the solution. These organisation have a high security focus and
- Based on above, the Vergic solution is regularly tested both customers internal security screening as well as through their external audits
- Vergic also performs our own external Security Audits, next audit planned for this autumn
- The solution has never been compromised
Is there a need to open up the firewall to allow communication from/to agents (co-workers)?
- No, HTTPS is in most cases open (as long as the agent workstation is allowed to access internet
Do you provide APIs to access information collected? If so – do you have these APIs documented?
- A rest interface is available to access data.
- Extended data access can be provided through custom data services
- API documentation exists
Is it possible to extend/customize the co-worker facing application and integrate with other external systems? Ex. Knowledge database, Customer information search etc.
Yes, the agents view/interface can be enriched with other data and/or information. This can be based on the customer’s web session and/or integrations with other 3:rd party systems
For interactive sessions. What is logged and how can the level of what is logged be controlled?
- During a chat session between an agent and a visitor text and visual guidance co-browsing operations are logged. These data are stored as case data in Vergic
- A more extensive logger runs in the background and records extensive data on what going between the visitor, the agent and the system. These log files are as standards only available for a limited time frame and for system administrators
- What level of what is logged and how long this information is stored can be configured in the system on a per account basis.
Possibilities to not track specific information (password, credit card) but still possible to present in chat – e.g. not logging/persisting this type of information?
- It is possible to avoid storing certain information. A regular expression based service can remove or mask certain types of information when entered in a chat or appearing in a co-browsed web page.
- Session data such as secure login in and similar can be exposed to an agent while the chat session is ongoing and removed when the same session is stored in the Vergic data storage
For co-worker activity (Audit logging). What is logged and how can the level of what is logged be controlled?
- Changes to system configuration is versioned and logged.
- Activities by admins and agents in the system is logged.
Is there a need for a client installation as part of the system? If so what type of client?
- No installation is required for a standard setup
For web browser clients. Which browsers are supported for the agents (co-worker)?
- For agents: Chrome, Firefox and IE is supported, IE. For mixed http/https content web sites a risk for limited functionality may occur in certain browsers. For such web sites currently Firefox or IE is recommended
If a chat is interrupted (e.g. due to customer having a bad internet connection). Can the session re-connect to the same agent? If so how is this achieved?
- Reconnection can be done, agent will first be informed of a weak connection, after a limited time, the connection is marked as lost, when the visitor reappears it will be re-connected.
- After the session is timed out, it is not recoverable and the visitor will have to re-enter through a queue
How is the solution typically integrated into an existing Web-site?
- By adding a java script to close to the </body> tag in all web site pages
Can information such as user name be shared ahead of an interactive session? If so – how is this done?
- This can be done either by a pre-chat data gathering or by adding pre-chat required fields to a chat invitation banner
- If customer is logged in, scrape from screen or get ID from Authentication Server through integration (when higher level of security is required)